credentials
Latest
LastPass patched a bug that could have exposed your passwords
If you use LastPass to manage your passwords, now would be a good time to make sure you're running the latest version, 4.33.0. As Gizmodo reports, LastPass recently patched a bug that could have been used to compromise users' security credentials. The patch should have arrived automatically, but as a precaution, it's worth making sure you're running the September 12th update.
Samsung leak exposed source code, passwords and employee data
Samsung was reportedly leaking sensitive source code, credentials and secret keys for several internal projects. According to TechCrunch, independent security researcher Mossab Hussein discovered dozens of exposed files in a GitLab used by Samsung engineers and hosted on a company-owned domain. The projects were reportedly set to "public" and not protected with a password.
Android's digital wallet could eventually hold your driver's license
Governments have been exploring digital driver's licenses for a while, but there are quite a few flaws with existing approaches. You usually have to rely on a proprietary app, sometimes with uncertain security... and what happens if your phone is low on battery when you need to flash your credentials? Google might have a solution. XDA has discovered that Google is working on an IdentityCredential framework that would securely store and display digital IDs, including driver's licenses. It could also display your ID even if there isn't enough power to start Android -- you'd just need the power for a secure chip and a "low-power communication channel."
Google admits sensitive email accounts have been hacked, some users knew months ago (update: US says no government accounts compromised)
The Contagio security blog posted evidence back in February of targeted attacks against government and military officials on Gmail. Today, nearly four months later, Google has finally admitted this is true: hundreds of personal accounts have been compromised by hackers it believes to be working out of Jinan, the capital of China's Shandong province. The accounts include those of "senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists." The hijackers' aim appears to have been to spy on their targets using Google's automatic forwarding function. But unlike the PSN fiasco, Google insists its internal systems "have not been affected." Instead it seems the hackers used a phishing scam, possibly directing users to a spoof Gmail website before requesting their credentials. Google says its own "abuse detection systems" disrupted the campaign -- but in a footnote right down at the bottom of their official blog page they also credit Contagio and user reports. Update: And in comes China's response, courtesy of Foreign Ministry spokesman, Hong Lei. "Allegations that the Chinese government supports hacking activities are completely unfounded and made with ulterior motives." Ok then, that settles that. Update 2: And the saga continues... According to an AP story published earlier today, the Obama administration has stated that the FBI is looking into allegations that hackers broke into Google's email system, but denied that any official government accounts were compromised. A White House spokesman went on to say that government employees are free to use Gmail for personal purposes, and can not be sure who in the administration might have been affected by the attack. Let's just hope they know how to leave the sensitive stuff at the office.
Key pattern analysis software times your typing for improved password protection
The recent pilfering of PlayStation Network passwords and personal info shows that having a strong passcode doesn't always guarantee your online safety. However, key-pattern analysis (KPA) software from researchers at American University of Beirut may be able to keep our logins secure even if they're stolen. You create a unique profile by entering your password a few times while the code tracks the speed and timing of your keystrokes. The software then associates that data to your password as another means of authentication. Henceforth, should the magic word be entered in a different typing tempo, access is denied. We saw a similar solution last year, but that system was meant to prevent multiple users from accessing subscription databases with a single account. This KPA software allows multiple profiles per password so that your significant other can still read all your email -- assuming you and your mate reside in the trust tree, of course.
